Lock Down Your Identity: A Practical Week-One Security Overhaul for Australian Businesses

Why Identity Is Your #1 Risk Right Now

Your perimeter is gone. Staff log in from home networks, personal devices, and coffee shop Wi-Fi. Attackers know this, and credential-based attacks — phishing, password spraying, session hijacking — account for the majority of breaches targeting Australian organisations. The Australian Signals Directorate (ASD) lists Multi-Factor Authentication as a standalone control in the Essential Eight precisely because it stops the largest class of attacks dead.

The good news: identity security is also the highest-leverage investment you can make. Unlike endpoint detection or network segmentation (expensive, slow to deploy), MFA and SSO deliver an immediate, measurable reduction in attack surface for minimal cost and effort.

Step 1: Enforce Phishing-Resistant MFA (Days 1–2)

Not all MFA is equal. SMS-based codes are vulnerable to SIM-swap attacks and are explicitly discouraged by NIST SP 800-63-3 for high-assurance scenarios. What you want is phishing-resistant MFA — methods that cryptographically bind authentication to a legitimate origin so a phishing site simply cannot capture the credential.

What to deploy:

• FIDO2 hardware keys (YubiKey 5 Series): ~$55–$75 per key, one-time cost per user. Gold standard. Works with Microsoft Entra ID, Google Workspace, Okta, and most SSO providers. Issue one primary and one backup key per user.
• Passkeys (platform authenticators): Apple Touch ID, Windows Hello, Google Passkeys. Free, built into devices users already carry, and fully phishing-resistant. Use these as the primary method for most staff.
• Authenticator apps (TOTP): Microsoft Authenticator, Google Authenticator, Authy. Better than SMS but still phishable via real-time adversary-in-the-middle proxies. Acceptable as a transitional method, not an end state.

Concrete action: In Microsoft Entra ID, navigate to Security > Conditional Access > Create new policy. Target "All users," set cloud apps to "All cloud apps," and under Grant, select "Require multifactor authentication" with "Require password change" disabled. For phishing resistance, add the policy "Require authentication strength" and select "Phishing-resistant MFA." This restricts login to FIDO2 and passkey methods only.

Cost: Microsoft Entra ID P1 is $8.60 AUD per user/month (includes Conditional Access). YubiKeys are a one-time ~$65 each. Google Workspace includes passkey support at no additional cost.

Step 2: Deploy Single Sign-On (Days 2–4)

If your staff are entering passwords into a dozen different applications, you have two problems: password fatigue leads to reuse, and you have no central point to enforce access policy or revoke access when someone leaves.

SSO consolidation options:

• Microsoft Entra ID: Native if you're on Microsoft 365. Supports SAML and OIDC for ~thousands of third-party apps. Conditional Access policies apply across every connected application.
• Google Workspace SSO: Included in Google Workspace Business Standard ($16.40 AUD/user/month). Simple setup for Google-native environments.
• Okta Workforce Identity: $3–$10 USD per user/month depending on tier. Strongest app catalogue and provisioning workflows if your stack is heterogeneous.
• Authentik (self-hosted): Open-source IAM and SSO. Free software, host it on a $10/month VPS. Ideal for technically capable teams who want full control without per-user licensing. Supports SAML, OIDC, LDAP, and SCIM provisioning.

Concrete action: Inventory every application your team uses (ask them — you'll be surprised). Prioritise SSO connections for email, file storage, your CRM, your finance system, and any application handling customer data. Aim to connect 80% of applications to your identity provider within the week. Legacy apps without SSO support can be proxied or stored in your password manager with auto-fill disabled.

Step 3: IAM Cleanup — Purge the Rot (Days 3–5)

Dormant accounts are silent vulnerabilities. A contractor who left eight months ago still has a valid email login. A service account with a password that hasn't been rotated since 2022. A shared mailbox that forwards to a domain you no longer own. Attackers love these because nobody monitors them.

Run this cleanup checklist:

1. Export your user list from Entra ID / Google Workspace / Okta. Filter for accounts with no login activity in 30, 60, and 90 days.
2. Disable before deleting. Disable accounts for 14 days first — this catches break-glass scenarios where an account looks dormant but is used for quarterly processes.
3. Audit service accounts. These are non-human accounts (API integrations, backup scripts, sync tools). Each one should have documented ownership, scoped permissions (least privilege), and a credential rotation schedule.
4. Remove local admin rights. Per ASD Essential Eight, restrict administrative privileges to dedicated admin accounts used only for admin tasks. Daily-driver accounts should have standard user rights. CIS Controls v8 Control 6 reinforces this as a benchmark requirement.
5. Review external/guest access. B2B guest accounts in Entra ID or Google Workspace frequently accumulate without expiry. Set a 90-day inactivity policy to auto-revoke guests.

Tool: Microsoft Entra ID's "Sign-in logs" (Monitoring > Sign-ins) show last login per user. Export to CSV and sort by date. This takes 20 minutes for most SMBs and typically surfaces 5–15 zombie accounts.

Step 4: Zero Trust Identity Verification (Days 4–5)

Zero trust isn't a product — it's the principle that no access request is trusted by default, regardless of network location. For identity specifically, this means every authentication is evaluated against current context: is the device managed? Is the location expected? Has this IP been seen before?

Implement these Conditional Access rules in Entra ID (or equivalent in Okta/Authentik):

• Block legacy authentication protocols (IMAP, POP3, SMTP basic auth) — these bypass MFA entirely and are the #1 entry point for password spray attacks.
• Require compliant or Entra-joined devices for access to admin portals and sensitive applications.
• Require MFA re-authentication when access originates from an unfamiliar location.
• Block access from countries where you have no business presence. For Australian businesses, this alone eliminates a large volume of automated attacks.

Step 5: Password Policy and Manager Rollout (Day 5)

Your password policy should align with NIST SP 800-63B: drop forced periodic resets (they encourage predictable patterns like "Summer2026!"), enforce minimum length of 12–16 characters, screen new passwords against known-breached lists, and allow all printable characters including spaces.

Deploy a password manager to eliminate password reuse entirely:

• 1Password Business: $10.78 AUD per user/month. Excellent UX, shared vaults, built-in breach monitoring, and Watchtower reporting on weak/duplicate passwords.
• Bitwarden Business: $4.90 AUD per user/month. Open-source, self-hostable, strong feature parity. Best value for budget-conscious teams.

The immediate win: conduct a "password audit" in your first week. Have every team member check their vault for duplicates and passwords shorter than 12 characters. Most teams find 30–60% reuse in the first pass.

Total cost for a 20-person team: Entra ID P1 ($172/month) + YubiKeys ($1,300 one-time) + Bitwarden Business ($98/month) = roughly $270/month ongoing, or ~$13.50/user/month including amortised keys. Drop the hardware keys and use passkeys only, and you're at the $5–$10/user/month target.

FAQ

Conclusion

You don't need a six-month transformation programme to meaningfully improve your identity security posture. In five focused days, you can enforce phishing-resistant MFA, consolidate access through SSO, purge dormant accounts, implement zero trust conditional access, and roll out a password manager — for $5–$10 per user per month. Start with MFA enforcement today; it's the single highest-impact control in the ASD Essential Eight and it blocks the majority of attacks targeting Australian businesses.

Visit consult.lil.business for a free cybersecurity assessment — we'll review your current identity setup, identify your highest-risk gaps, and give you a prioritised remediation plan tailored to your environment.

References

1. Australian Signals Directorate — Essential Eight Maturity Model
2. NIST SP 800-63-3 — Digital Identity Guidelines
3. CIS Controls v8 — Control 5: Account Management & Control 6: Access Control Management
4. Australian Cyber Security Centre — Phishing-Resistant Multi-Factor Authentication Guidance

Verifier warning: verifier could not run (PluginLlmTrustError).